Chinese hackers potentially have their hands on an unpatched zero-day flaw in Internet Explorer, a Google researcher has said.
Michal Zalewski said a debugger he created called cross_fuzz discovered an "evidently exploitable vulnerability," and he has now raised concerns the IE flaw is "known to third parties in China."
The issue arose after a developer accidentally leaked the address of the debugger, or fuzzer, in an uploaded crash trace.
This subsequently led to Google indexing the debugger's directory, which contained information on the vulnerability.
On 30 December, search queries seen by Zalewski showed how the details on the flaw and files relating to an unpublished security tool had been obtained by an unknown party with a Chinese IP address.
"The pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski wrote.
Microsoft and Google come to blows
Zalewski, who said his debugger had helped identify around 100 bugs in all browsers on the market, claimed Microsoft had been contacted about the vulnerability in July.
The Google researcher claimed Microsoft had then asked for the release of the tool to be delayed "indefinitely," after the Redmond giant had purportedly reproduced multiple exploitable crashes in testing out the flaw.
"Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused," he added in a blog post.
In a timeline of his interaction with Microsoft, Zalewski had a disagreement with Microsoft over the course of events.
"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 could not reproduce the vulnerability outlined in msie_crash.txt," he said.
"This is inconsistent with my record."
Jerry Bryant, group manager in Microsoft's Response Communications, claimed no issues had been identified by either Zalewski or Microsoft following the release of the tool in July.
However, Bryant admitted Microsoft and Zalewski discovered at a later date that the debugger released in July did throw up some issues.
"It is important to clarify that neither Microsoft or Zalewski found this issue in the July timeframe," he said.
When an updated version of the debugger was released in December and found a "potentially exploitable," Microsoft started trying to determine whether the vulnerability was really exploitable, Bryant said.
"After reviewing the new version of the tool and the crash report, we requested that Zalewski hold the public release of the new version of the tool and information on the specific vulnerability found in December until we could investigate further," Bryant added.
"We specifically told Zalewski we were fine with him publishing the two versions of the tool reported in July."
He added that Microsoft was not aware of any successful attempts to develop a proof of concept exploit code or any attacks due to the tools release.
"If the situation changes, we will take the appropriate action to help protect customers," he said.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
